I for one would rather not send 2.0 versions. We know 2.0 is has some rough edges and we do not want the world adopting 2.0. We want them adopting 2.1. TAXII 2.1 is almost done. We should be ready for the public review period to open on Monday. That will last 30 days, so mid January. We will need to do another CSD ballot and another 15 day Public Review after that, so TAXII could be a CS by end of February.
STIX 2.1 on the other hand is a bit farther out. But I think if we brought it up to the full TC that we have an "opportunity" to send our work to the ITU, this may be a driving force to get STIX 2.1 done. It is very possible for us to get the cyber observable piece done in January. We could finish Malware and Infrastructure based on this new Cyber Observables by mid February if we worked hard. Then given the process, it would take 2 more months for ballots and public reviews. So we could potentially have a STIX 2.1 CS first of May.
Yes this means that neither of these are official OASIS Standards. But we could then take them to that level and have them done by end of July.
Yes this means we would have our work cut out for us. But if we tell the full TC and spin it in the right way, this could be an opportunity.
Once the ITU adopts somethings (X.500, x.509, both of which you should be familiar with) then the the standard can be implemented in national standards and national policies. We do not want national policies saying to implement 2.0 when we know it has rough edges. This will force us to live with 2.0 for 20 years.
Bret
Sent: Thursday, December 13, 2018 12:16:28 PM
To: Chet Ensign; Jason Keirstead
Cc: Allan Thomson; OASIS CTI TC Discussion List; Jamie Clark; Struse, Richard J.; trey.darley@cert.be
Subject: [EXT] RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
This drives to the point of my question. It sounds like he wants to announce in January that they’ll be working towards getting STIX/TAXII into ITU in the summer. Yet it requires that STIX/TAXII be full Oasis standards in order to do that, and they currently aren’t. Is it even possible for us (timing-wise) to meet that deadline? Given the pace at which things move in the TC, my concern is that we would say “Yes of course!” and then fail to meet the deadline by not getting them into full Oasis Standards by the ITU deadline.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Chet Ensign
Sent: Thursday, December 13, 2018 1:59 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Jamie Clark <jamie.clark@oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; Kelley, Sarah E. <skelley@mitre.org>; trey.darley@cert.be
Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
Oh and also, that is not an ITU requirement, it is our own OASIS policy.
On Thu, Dec 13, 2018 at 1:25 PM Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
I agree with Allan..
Furthermore, I believe that if it requires for 2.0 to be a full OASIS standard - that perhaps we should go down that path.
IE - roadblocking this on 2.1 and that yet-to-be-determined timeframe, is not IMO a good idea whatsoever.
Can we get clarity on what level of specification ITU requires - CSD, CS, COS, OASIS Standard?
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: Allan Thomson <athomson@lookingglasscyber.com>
To: "Kelley, Sarah E." <skelley@mitre.org>, Jamie Clark <jamie.clark@oasis-open.org>, OASIS CTI TC Discussion List <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be>
Cc: Chet Ensign <chet.ensign@oasis-open.org>
Date: 12/13/2018 01:58 PM
Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
Sent by: <cti@lists.oasis-open.org>
Regardless of when STIX2 becomes a full approved standard I think OASIS guidance to ITU-T should be that they should not standardize a standard (version1) that is already being replaced for good reason.
I think it makes ITU-T look foolish and disconnected. But if they want to do that then go ahead. Its just an opinion.
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kelley, Sarah E." <skelley@mitre.org>
Date: Thursday, December 13, 2018 at 9:54 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "jamie.clark@oasis-open.org" <jamie.clark@oasis-open.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be>
Cc: Chet Ensign <chet.ensign@oasis-open.org>
Subject: RE: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
If we would prefer to use STIX/TAXII 2, does this require that some form of STIX 2 and TAXII 2 be a full Oasis standard before next summer? Am I reading that correctly?
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Allan Thomson
Sent: Thursday, December 13, 2018 12:02 PM
To: Jamie Clark <jamie.clark@oasis-open.org>; OASIS CTI TC Discussion List <cti@lists.oasis-open.org>; Struse, Richard J. <rjs@mitre.org>; trey.darley@cert.be
Cc: Chet Ensign <chet.ensign@oasis-open.org>
Subject: Re: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
The importance of making sure VERSION 2 is the version to considered as the primary standard for CTI sharing cannot be understated.
The market already does not understand the important and significant differences between v1 and v2.
I strongly suggest that OASIS make sure the ITU-T does everything it can to adopt version 2 not 1.
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "jamie.clark@oasis-open.org" <jamie.clark@oasis-open.org>
Date: Thursday, December 13, 2018 at 8:49 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>, "trey.darley@cert.be" <trey.darley@cert.be>
Cc: Chet Ensign <chet.ensign@oasis-open.org>
Subject: [cti] Submission of STIX/TAXII to ITU-T? Plan for reply
Dear members of the CTI TC:
After consultation with your chairs, they asked us to share this (attached) communication from ITU-T's Study Group 17 (on cybersecurity), inquiring about a contribution of STIX and TAXII for their endorsement and approval.
BACKGROUND. OASIS has contributed many standards to global de jure standards bodies like ITU-T, including a number successfully approved by ITU's SG17. [1] The ground rules for doing so can be found in the OASIS liaison policy [2]. There are several process requirements, which include OASIS Standard status, and an approval vote from the originating TC.
Staff's view is that submission is appropriate and expected to be successful. OASISsubmissions to the study group occur with the condition that, whilecomments are welcome, only the final approved version of the OASIS submission can beconsidered ... in other words, the ITUpanel would not have the right to make changes as part of its approval process.
CONSIDERATIONS FOR THIS SUBMISSION. Your Versions 1 of STIX and TAXII of have become OASIS Standards, as you know. Your work on bringing your Versions 2 to that status is ongoing. Our understanding with your leadership was that, while the Versions 1 are not officially deprecated, your TC wishes to encourage implementation of the newer (and differently scheme-ad) Vesrions 2; so a promotion of Versions 1 to international standard status at this time might not achieve your goals. We have been advised that you likely would wish to submit both STIX and TAXII together, and wait until both versions are eligible (as an OS) before submitting. The schedule of SG17 essentially uses live meetings once every six months, so this would probably result in a mid-2019 submission,assuming you support it.
RECOMMENDATION. If we are correct that your preference is to submit Versions2.X, then we suggest that OASIS reply to this inquiry now, with a polite and encouraging indication that the TC expects to submit the completed version to ITU as soon as they're available, within a few months. That would allow us to provide a positive statement as feedback to the January 2019 meeting, for which planning is now underway.
ACTION REQUESTED. Would you please let us (and the TC) know if there's any objection to that approach? We'll plan to send the "version 2 coming soon" message, as described above, which requires no TC vote, if we hear no objections.
If on the other hand, there is TC sentiment to send completed Versions 1 to ITU for consideration for promotion and republication as "ITU-T Recommendations" (their version of international standards), then please advise your TC leadershipand my colleague Chet Ensign, as that could be done by a web ballot TC vote at any time and a short public notice to the membership.
Please feel free to contact Chet or me if you have any questions.
Kind regards
Jamie
[1] Including SAML, XACML and CAP (an emergency services resources info protocol).
[2] https://www.oasis-open.org/policies-guidelines/liaison#submitwork
James Bryce Clark, General Counsel
OASIS: Advancing open data, code and standards for the information society
https://www.oasis-open.org/staff
EU Commission 2018 Rolling Plan for Open ICT Standards: http://j.mp/EUstds2018
OASIS Borderless Cybersecurity conference, October 2018: https://us18.borderlesscyber.org/en/
Previously Prague 2017, NYC 2017, Tokyo 2016, Brussels 2016, World Bank 2015[attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM]
--
/chet
----------------
Chet Ensign
Chief Technical Community Steward
OASIS: Advancing open standards for the information society
http://www.oasis-open.org
Primary: +1 973-996-2298
Mobile: +1 201-341-1393